An Introduction To
Risk management policy
An organisation's risk management policy should set out its approach to and appetite for risk and its approach to risk management.
The policy should also set out responsibilities for risk management throughout the organisation. Furthermore, it should refer to any legal requirements for policy statements (e.g. for Health and Safety).
Attaching to the risk management process should be an integrated set of tools and techniques for use in the various stages of the business process. To work effectively, the risk management process requires:
· commitment from the Chief Executive Officer or Managing Director and executive management of the organisation;
· assignment of responsibilities within the organisation;
· allocation of appropriate resources for training and the development of an enhanced risk awareness by all stakeholders.
Role of the 'Board'
The Board has responsibility for determining the strategic direction of the organisation and for creating the environment and the structures for risk management to operate effectively. This may be through an executive group, a non-executive committee, an audit committee or such other function that suits the organisation's way of operating and is capable of acting as a 'sponsor' for risk management.
The Board should, as a minimum, consider, in evaluating its system of internal control:
· the nature and extent of downside risks acceptable for the organisation to bear within its particular business;
· the likelihood of such risks becoming a reality;
· how unacceptable risks should be managed;
· the organisation's ability to minimise the probability and impact on the business;
· the costs and benefits of the risk and control activity undertaken;
· the effectiveness of the risk management process;
· the risk implications of Board decisions.
Role of the 'Business Units'
This includes the following:
· the business units have primary responsibility for managing risk on a day to- day basis;
· business unit management is responsible for promoting risk awareness within their operations;
· they should introduce risk management objectives into their business;
· risk management should be a regular management-meeting item to allow consideration of exposures and to reprioritise work in the light of effective risk analysis;
· business unit management should ensure that risk management is incorporated at the conceptual stage of projects as well as throughout a project.
Role of the risk management function
Depending on the size of the organisation the risk management function may range from a single risk champion, a part time 'Risk Manager', to a full scale risk management department.
The role of the risk management function should include the following:
· setting policy and strategy for risk management;
· primary champion of risk management at strategic and operational level;
· building a risk aware culture within the organisation including appropriate education;
· establishing internal risk policy and structures for business units;
· designing and reviewing processes for risk management;
· co-ordinating the various functional activities which advise on risk management issues within the organisation;
· developing risk response processes, including contingency and business continuity programmes;
· preparing reports on risk for the board and the stakeholders.
Role of 'Internal Audit'
The role of Internal Audit is likely to differ from one organisation to another. In practice, Internal Audit's role may include some or all of the following:
· focusing the internal audit work on the significant risks, as identified by management, and auditing the risk management processes across an organisation;
· providing assurance on the management of risk;
· providing active support and involvement in the risk management process;
· facilitating risk identification/assessment and educating line staff in risk management and internal control;
· co-ordinating risk reporting to the board, audit committee, etc.
In determining the most appropriate role for a particular organisation, Internal Audit should ensure that the professional requirements for independence and objectivity are not breached.
Resources and implementation
The resources required to implement the organisation's risk management policy should be clearly established at each level of management and within each business unit. In addition to other operational functions they may have, those involved in risk management should have their roles in coordinating risk management policy/strategy clearly defined.
The same clear definition is also required for those involved in the audit and review of internal controls and facilitating the risk management process. Risk management should be embedded within the organisation through the strategy and budget processes. It should be highlighted in induction and all other training and development as well as within operational processes e.g. product/service development projects.
The Security Practitioner
An Introduction to Information Security